The WP published an opinion as the European Parliament, the European Commission and the European Council begin 'trilogue' discussions to finalise the wording of the General Data Protection Regulation. The Regulation, if agreed upon, would introduce a new single data protection law for the whole EU that would apply to all businesses processing the personal data of EU citizens regardless of where they are based in the world.
In letters to representatives of the Parliament, Commission and Council, the WP said that there must be consistency between the Regulation and the proposed Directive in relation to how the data processing activities of law enforcement agencies would be regulated.
The term 'personal data' should also be defined, in line with changes in technology, it said. The definition should take into account whether people can be 'singled out' and treated differently on the basis of identifiers. The definition should take into account recent Court of Justice of the European Union rulings on IP addresses and other online identifiers, and whether these should be considered personal data.
The WP cautioned against any watering down of the purpose limitation principle, and said that data protection authorities also need appropriate powers and resources to do their job.
The text of the Regulation should be simple, clear and easy to understand, the WP said.
"There must be as little doubt as possible about the rights and protections that the regulation affords to individuals. Compliance details can be kept away from the face of the regulations and should be issued under the form of guidance," it said.
The Article 29 Working Party is a committee made up of representatives from each of the EU national data protection authorities.
The Commission's original proposals for data protection reform were published in January 2012. MEPs endorsed their own version of the Regulation last year and a broad consensus was reached by the Council on an alternative draft Regulation earlier this year, paving the way for the trilogue negotiations to begin.
However, major differences exist between the proposals and the Parliament and Council must both vote to approve the wording of the reforms before the new laws can be introduced.
The differences include divisions over the standard required if organisations want to rely on consent as a legal basis for processing personal data. MEPs backed rules that require 'explicit' consent, whereas the Council's draft specifies the need for 'unambiguous' consent to personal data processing.
Consensus is also needed on issues such as enforcement of data protection in cross-border cases, and a sanctions regime. MEPs want data protection authorities to be able to fine companies up to 5% of their annual global turnover, while the Council wants a 2% turnover limit on possible fines.
The new Regulation will also bring new requirements on notification of data breaches, force companies to carry out data protection impact assessments before launching certain new products and services, and could alter the balance in liabilities that currently exists between data controllers and processors.